Splunk Search

Why am I getting Invalid lookup table?

szabados
Communicator

I want to use a lookup table, but every time, I add the command to my search "| lookup name_of_my_lookup", I'm getting the "Error in 'lookup' command: The lookup table 'name_of_my_lookup' does not exist or is not available. "

When I try to load the same lookup with "| inputlookup", it works fine, I see all the contents.
I didn't find any more detailed error message.

What am I doing wrong?


Update: without changing anything, the issue is gone now. The lookup works now as expected, but I would be still interested in understanding what went wrong, not to make the same mistake again in the future.

Labels (1)

bwhite
Engager

For future users facing this, this can be caused by leading or trailing white space around the name of either the file or the lookup.  Recreate and see if that fixes it.

0 Karma

the_wolverine
Champion

I've also seen this happen with improperly formatted lookup files where there are missing columns.

Internally, you could search:
index=_internal source="/opt/splunk/var/log/splunk/splunkd.log" lookup table invalid

02-01-2018 15:41:44.309 -0800 WARN  SearchOperator:inputcsv - sid:searchparsetmp_741145440 The lookup table 'mylookup.csv' is invalid.

In this case the lookup file was missing a first column, e,g.

,field2,field3,field4
,cod,fish,tiger
,worm,bat,mouse

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi szabados,
did you get global permissions both to your lookup File and Definitions?
Bye.
Giuseppe

jkat54
SplunkTrust
SplunkTrust

You need to add a lookup definition and make sure the permissions are correct on it. Without the definition you'll have to add .csv to the name when you use it.

Settings -> lookups -> lookup definition

jkat54
SplunkTrust
SplunkTrust

@szabados

It's likely the permissions / configurations hadn't replicated yet.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...